IPSec recommends rekeying SA's figuring in both time and amount of data sent. Even when using AES-256 in CBC mode, the key and IV commonly get re-negotiated after 100MB.

My case isn't using IPSec, the above is just for comparison.

Assuming a plaintext is encrypted and stored to disk using AES-256 in CBC mode, is there a maximum 'safe' size? Fear not, each plaintext gets its own randomly generated IV. I'm just having a hard time finding what the upper bound is for practicing safe encryption.

1 Answer
1

as the previous comment said, due to the birthday paradox/problem, after 2^64 blocks (for block ciphers with 128 bits block size) collisions start to get very likely, the authors of cryptography engineering suggest for CBC "2^32 blocks or so", according to them that leaves a residual risk of 2^-64 that there will be leakage of a full block (when a collision happens in cbc, you leak 128 bits of information about the plaintext)

this is for CBC, of course, other modes of operation have other characteristics.

Thanks CodeInChaos and cipher! That makes for a good way to frame the problem of collisions. At around 2^64 blocks, it crosses the 50% probability threshold. That point makes for seemingly high risk and very big messages though. With AES’s 128 bit block size, messages can be up to 64GB before breaking out of the 2^32 block length. This method works well highlighting the risk of unexpected disclosure by collisions in messages that are large (by today’s standards). The probability of birthday collision blocks is still less than one in a million for messages of several hundred petabytes.
–
bmedwardApr 27 '12 at 18:21